Posted
by
samzenpus
on Monday February 09, 2015 @05:00PM
from the little-mistakes dept.

itwbennett writes Silk Road was based on an expectation of anonymity: Servers operated within an anonymous Tor network. Transactions between buyers and sellers were conducted in bitcoin. Everything was supposedly untraceable. Yet prosecutors presented a wealth of digital evidence to convince the jury that Ross Ulbricht was Dread Pirate Roberts, the handle used by the chief operator of the site. From Bitcoin to server logins and, yes, Facebook, here's a look at 5 technologies that tripped Ulbricht up.

Yes, being social and open is the opposite of being private. Plenty of people are well aware of the consequences and make that choice of their own free will.

Then there are also idiots like Ulbricht who have pretty much a religion around Tor, Bitcoin, and crypto and think it can actually guarantee their privacy when they're doing stuff that they shouldn't be doing.

Indeed. What "betrayed" Ulbricht was his own incompetence and/or laziness. None of the technologies mentioned worked in any other way than expected by a competent individual. Plain, old-fashioned police work was quite enough to find him, and the only tricky part was getting to his laptop while it was decrypted. And even that only helped because he did not separate his data into different encrypted containers, and unlocked the disk in public, with no working dead-man switch.

The problem is not his particular slip-ups - it's the widespread nerd belief that Tor, Bitcoin and crypto are going to keep you safe from whoever-you're-a-thorn-in-the-side-to [xkcd.com]. The list of potential ways to accidentally leak your identity is massive; sooner or later, you're going to slip up. Just like what happens with all "perfect crimes".

Honestly, if you really want to be safe from arrest (at least for a while), move to Russia, pay off and/or befriend the right people, be a Putin supporter, and only do th

What you say is partially true. It is fully true if you still want convenience (and Ulbricht clearly did). If you do things right, you get a very high level of security, but it means things like having no storage in you laptop, only a tails CD, typing in long passwords yourself, and never, ever use any computer that ever has seen your real identity for any "business"-related task ever.

That said, most people cannot get to that stage, but if you ever have worked with a computer that is authorized for classifi

Honestly, if you really want to be safe from arrest (at least for a while), move to Russia, pay off and/or befriend the right people, be a Putin supporter, and only do things that are a PITA to people in western countries. In the current political climate they're more likely to give you a medal than deport you.

Wouldn't it work the other way around, too? Stay in the US, but only do things that are a PITA to people in places like Russia or China?

Yup. The real secret to not being caught by Columbo is not, as would be geniuses tend to think, by having a "full proof" scheme by which Columbo will never be able to prove you did it. It is by never showing up on Columbo's suspect list in the first place. Ulbricht's post that reveals his email was probably his doom, putting him on a select list of mere hundreds of people who knew about Silk Road early in the game. Then it becomes a numbers game, and the list shortens and shortens until the Dread Pirate has made one too many small errors.

While I am not, and have not been involved in any criminal matters, I happen to be somewhat paranoid about my privacy. If you have.. interesting private fetishes that won't get you into any legal trouble but WILL generate mockery from your co-workers, you learn that in that private world you have to simply be very careful.

Let me tell you, if you want to keep your professional and private lives separate, being 'careful' for decades is very, very difficult. You always have to resist the impulse to chat about what you do at work, lest you create a connection between the two. You have to resist posting about each side in their various communications forums.

Maintaining privacy for extended periods of time is just difficult. For a week? Sure! Constant vigilance! Wheee! After a year, you start to slack off. Maybe you start to think "fuck it." Maybe not getting caught with anything will make you lower your guard. Maybe there will be a point of time when you start to take shortcuts. You may also greatly regret the public Usenet postings you made under your real name in your early college years when you were young and dumb and thought "privacy? Who will ever care about this?" You might even think "eh, I'm tired of being in the closet. Who really cares if I'm a furry anyway? I don't even do any of that weird stuff people would associate with them."

Then you come back to your senses and get back into the closet, and keep your two lives separate! But boy, it's difficult to not accidentally leave evidence around Google, etc.

I mean, the "cybercrime" investigators that work for the FBI are not stupid and they're not incompetent. If you're running a large, well-known drug-selling site, they probably will put resources into finding you. On top of that, the deck is really stacked against you -- as a criminal, you need to avoid making any mistakes, while the investigator only need to wait for you to make a mistake. They're patient. (And "investigator" is not just people working for the police -- it's also anyone who might both have reason to dislike you and also motivation to reveal your identity to the police.) So, it may well be possible to hide indefinitely from prosecution, but it's not easy.

That's just the thing, at some point someone will make a mistake, he should have been more like the Dread Pirate Roberts and retired before that happened. From what I understand he had made a lot of money, should have walked away while he still could (yeah, yeah I know easier said than done).

or, as evidenced by his breaking of his own rule "Don't face away from the door" when accessing network in public" (cheated, article insight), he had been overcome with the paranoia of getting caught for so long that he believed it to be inevitable. It seems there were protocols in place for multiple wallet (camouflage) transfer that he may have ignored in transferring money to his own laptop accounts.

We can agree he was not an honest boy, but he did some smart shit for a while... he just

It seems to me, that when he was just starting he didn't realize the magnitude of the enterprise he was launching; later he tried to go back & cover his tracks, but couldn't do it completely. And then he made a few slipups along the way.

Sounds like the FB link was used more for correlation than direct evidence -- they even included an example (the FB account had pictures from Thailand posted at approximately the same time that DPR was bragging about a trip to Thailand on some other forum.) Its unlikely he did anything like posting "come see my illegal website!" on his real-name account. (Of course they did mention that he used his own name @gmail.com for a reply address so who knows..)

They didn't tip anything. All of this is pretty obvious investigation methods. Mouse wigglers and other tools to keep laptops and desktops powered and unlocked while you move them have been around for a long time.

Recon planes did not mysteriously show up five minutes before. Recon plane pilots were told to search in this area today, just do it and don't ask questions, and things proceeded from there.

Nor did he fool Doenitz, who suspected that his communications were being read. He went to the Germany crypto folks, and they said, "No, that's impossible, but if you insist we'll give you a special Enigma with an extra rotor". This is one reason why 1942 was a good year for Germany in the Battle of the Atlantic.

And how did they know to stalk him until they found him with his laptop open and unlocked to begin with? I haven't followed the case closely, but from the article I didn't see what technological failure led them to him to begin with. Every point seemed to be: Once they had his laptop, they could prove he did XXX because of this technology. Maybe I missed the part where they explained how he became a suspect worth stalking to a library to begin with. Until that's explained, seems like secret NSA method i

He posted on Bitcointalk.org early on about the site and then later on posted a help wanted add on Bitcointalk.org that contained his personal real name email address rossulbricht at gmail dot com. That was pretty damn stupid.

It looks to me that the biggest goof he made was using the Altoid pseudonym more than once, and on one occasion leaving an obvious connection to himself. After that it was mainly just patience on behalf of the law enforcement officers. If he had not made that crucial mistake they probably would still not have any idea who dreadpirateroberts was.

You can't be anonymous with a handle. This was a case of ego, and wanting a 'name' to associate with 'deeds'. Just because a name isn't one you are born with doesn't mean it isn't associated with you. Even if you create a false identity to represent you, you still own that identity. Even an encryption key can be an alias. Police are completely used to tracking people by alias, and linking aliases to human beings. It's their job, they have been doing it for years.

The advantages to Encryption and defense-in-depth strategies is they are based on the triad of information assurance, one key of that is "non-repudiation". The "downside" to non-repudiation is the ability to connect the dots come litigation time. Interesting that they mention that the SSH sessions used key based authentication when the opposing attorneys claimed that anyone can name their systems "frosty" and use the login name "frosty". My question is, did the key on the laptop that was supposedly logged in as "frosty" also correlate to the key on the server? If so, the "anyone" list just got a lot smaller.

I think the knee-jerk response is to say that the problem exists between the chair and keyboard. Just reading the article makes it impossible to draw another conclusion. He was nabbed in a public library before he had a chance to turn his laptop off so nothing was encrypted. Similarly, ARE YOU TAKING NOTES ON A CRIMINAL FUCKING CONSPIRACY [youtu.be]? Why would you ever keep data in plain text even if the hard drive is encrypted? I am not expecting the FBI to raid me at any time, but just out of caution, I have my computer encrypted using Bitlocker (yeah, I know) and all data at rest is stuck in a hidden TrueCrypt partition. If I want to access it, I have to sign in separately. But most hilariously, he had a stupid freaking Facebook page that linked him directly to his true identity and Silk Road.

However, this only underscores how difficult it is to have operational security for any complex business. At some point, he needs to keep track of all transactions, with reasonably easy access. It's a pain in the ass for me to repeatedly log in and access data. I can only imagine how difficult it must have been to conduct business. I guess the bottom line is that physical security is crucial.

I am not expecting the FBI to raid me at any time, but just out of caution, I have my computer encrypted using Bitlocker (yeah, I know) and all data at rest is stuck in a hidden TrueCrypt partition. If I want to access it, I have to sign in separately.

and if you are nabbed when you have signed in and your TrueCrypt partition is exposed?

Why would you ever keep data in plain text even if the hard drive is encrypted?

Because its very hard to read when its in encrypted form. That's why they had to nab him after he had everything unlocked and fast enough that he wouldn't have the opportunity to lock it again.

Just think of how many people they would have had to have just sitting around moving the mouse every couple of minutes around the clock to ensure that the laptop didn't go into screen saver mode and auto-lock itself again lol (well ok probably only long enough to copy the HDD to an unencrypted external drive.)

As to moving the mouse, there are devices for that. And the first thing you do is to copy-off all data and full the memory content. If you have Firewire, the second can even be done by somebody that has no computer skills at all.

The article is more than a little sensational too. "He was done in by CHAT!" No, he was done in by keeping a goddamn log of his criminal activities. The fact that it happened to be chat is beside the point. Probably the only entry in there that deserves the headline is the Bitcoin one, only because it highlights how people misrepresent Bitcoin (It's so anonymous that every single transaction ever is recorded on the internet!). The article points out that he could have used tumblers to hide his bitcoins, but with the volume of coins Silk Road deals with that probably wasn't practical. Tumblers are really only useful for relatively small numbers of coins at a time. Put too many in and take too many out and your transactions stand out.

The article does harp a lot on how this information was only available because Ulbrict was dumb and let his laptop be snatched out of his hands while he was logged in. It is somewhat frightening to consider how poor the government's case might be if he had simply been facing the other direction.

Well if he was facing the other direction the government wouldn't be bringing the case to trial yet - the cops didn't just stumble into him and luck out, they were monitoring him looking for an opportune moment to strike.

Indeed. Or if he was using a honey-pot himself (working with a completely clean computer and ssh in to some completely clean servers to have the feds think he was doing something bad), when in reality he was giving then an "easy" way to get at his data. Good security includes traps for the attackers...

That would require him being both a criminal mastermind and probably tipped off that he was about to be snagged. This was a guy who got scammed out of over a million bucks by a confidence game. He wasn't a tremendous mastermind. Just a guy who was smart enough to set up a website using the Darknet and Bitcoin for the most obvious application of both but had the crazy idea of maybe not making it a scam this time (like most other darknet drug site) and actually selling the drugs.

This seems like a perfect use of parallel construction: figure out who he is by using illegal/secret technologies, and develop a plausible narrative of how legal methods were actually used. Maybe we are jumping too quickly to the "He was stupid" conclusion.

If they only found him by ?illegal NSA wiretapping? the laptop would inadmissible. My understanding is that most parallel construction (supposedly) isn't for the sake of using illegally obtained evidence but simply to protect the method or person by which the evidence was obtained. Which also could be the case here. Maybe they actually got him using a sophisticated and warranted attack that th

My understanding is that most parallel construction (supposedly) isn't for the sake of using illegally obtained evidence but simply to protect the method or person by which the evidence was obtained.

May I inquire as to why you think this? Do you have any interesting evidence or even anecdotes that lead you to this conclusion or is this just what the nice man from the DOJ told you?

Additionally I can see virtue in protecting the persons evidence was obtained from in *some* cases, but the methods? In a free society with an adversarial justice system based on the presumption of innocence, what legitimate goals are furthered by secrecy around evidence gathering methods?

That's my point thought defendants have right to defend themselves. When does covering up evidence gathering methods serve a legitimate judicial use? Why would hiding the methods used to gather evidence be necessary unless for example the government did something illegal?

Conducted a search without cause, hacked a system in violation of the CFAA, inserted a mole acting as an agent of the state who induced you to commit the crime which would make it entrapment; etc.

That's my point thought defendants have right to defend themselves. When does covering up evidence gathering methods serve a legitimate judicial use? Why would hiding the methods used to gather evidence be necessary unless for example the government did something illegal?

Um that's what parallel construction is. Getting information though illegal means (usually better and quicker) and the presenting a story about how you got it legally.

Both the "inevitability" and "good-faith" exceptions might apply in this case. But in the end the defence didn't or couldn't use parallel construction to get the laptop evidence omitted so it's irrelevant.

My understanding is that most parallel construction (supposedly) isn't for the sake of using illegally obtained evidence but simply to protect the method or person by which the evidence was obtained.

Parallel construction is illegal even if there is a warrant, because the accused has a Constitutional right to face his accuser. Keeping the method of obtaining evidence secret is simply not allowed (at least, as long as the court itself is actually obeying the law).

The lap top was just the endgame - he'd already left enough small clues scattered about for law enforcement to figure out who was worth looking at. He made the classic security error of the n00b, he thought he had encryption and that made him safe.

Sure, I suppose the NSA could have used magical spying technology to know everything about Dread Pirate Roberts, but whether they did or not, they didn't need to. He had left enough clues about DPR's identity scattered around in public to put him on a small list of suspects.

Indeed. And in fact this story is good for freedom, as we can now point out that this guy was caught without dragnet surveillance, without breaking crypto and without all the other stuff the NSA does. Hence what the NSA does gets zero positive press from this, but rather their claims of what it does as being "necessary" is exposed as a lie even for catching hardened Internet drug-lords and murderers.

Sure, I suppose the NSA could have used magical spying technology to know everything about Dread Pirate Roberts, but whether they did or not, they didn't need to. He had left enough clues about DPR's identity scattered around in public to put him on a small list of suspects.

I don't intend to suggest something underhand happened, but I want to highlight what I feel is a flaw to this logic. Once you know someone has committed a crime it will be comparatively simple to find masses of evidence. Yes he might of

*** Yes he might of left information around that could help narrow down suspects, or even incriminate himself, but that doesn't mean that it would have been found, noticed, and acted on.***

Well, Silkroad was a huge piece of evidence for criminal activity. I think it is safe to assume that the FBI tripped over that boulder first. Since it was a web-based auction site, someone must have created it and someone must maintain it. Someone with he nym Dread Pirate Roberts seems to run the show.

I think it is safe to assume that from that moment on the name Ross Ulbricht led the suspect list and all effort was put in to linking DPR to Ross Ulbricht.

I also think it is likely that they caught him exactly as they said he did. That doesn't mean that they shouldn't be expected to keep records to show that is what in fact happened, and have their records audited to ensure they tell the truth. We're seeing far too many cases of things like the FBI protecting the police from having to reveal information a

Bitcoin is not really completely anonymous, but it is portable, and criminals need to move millions of dollars around. With bank regulators in the West being more on top of laundering, criminals want to send their money to countries that are still soft on laundering. To do that, cash is extremely inconvenient. Bitcoin, as long as it is a feasible store of wealth which can be exchanged for currency, is perfect for moving millions out of the US to somewhere where the criminals can cash in.

Yep. Base your operations in Russia or another country reluctant to extradite to the west, and then use bitcoin to get the money to you so it can't be readily blocked. Even if they identify you, they probably can't extradite.

Seems to be the strategy that the CryptoWall folk are using, at least.

"As Ulbricht's trial unfolded over the last month, one character appeared again and again in the chat logs prosecutors pulled from the laptop seized from Ulbricht at the time of his arrest: a man calling himself Variety Jones, and later, Cimon
" ref [wired.com].

Variety Jones, perhaps the true mastermind behind Silk Road [wired.com], had the perfect level of involvement. He was disconnected and impossible to track, which means he ran this empire through a patsy. This isn't meant as an insult to Ulbricht. It's too hard to do everything right at that level of involvement. Jones's mistakes only had negative ramifications for Ulbricht. You could say that his only error that might come back to him was that he didn't explicitly tell Ulbricht to keep logging disabled for his Tor

> Indeed. Just working behind two doors and/or having a dead-man-switch handy would have been enough.

Nobody expects the spanish inquisition, the SAS, GSG-9, S. Matkal, GIGN, GROM, SEAL-6 or Spetnaz to come through the window on fast-rope? With a Silent Hawk Laden-copter hovering above?

In fact, military-style commandos usually enter through the walls, using tube-like shaped charges to form a nice big manhole, out of concern for the possible booby-trapping of doors and windows. Or they will first infiltrat

That is all very impressive, but not relevant at all. The FBI clearly does not have this kind of resources. They did not even manage to bug his keyboard or eavesdrop on it, both well within the range of gifted amateurs. You seem to also forget that a good dead-man-switch will protect against all these as well. The window shatters, the wall blows, you fall of your chair or jerk your hand away from the computer and the thing is locked. You can even easily rig one to your hart-rate or breathing these days.

They used subtlety to find out where he was going to be and patiently waited until they were in a position to quietly sneak up behind him and grab the laptop before he had a chance to do anything about it.

You are correct that Ulbricht was rather arrogant and did not take necessary precautions. I am not a "typical American" that believes brute force beats subtlety. Had they attempted to use brute force, he would have been alerted and managed to do something to prevent them from getting into his laptop.

Indeed. Brute force is rather ineffective if your aim is not mostly indiscriminate destruction. That is why the military is quite unsuitable for a lot of "enforcement"-type tasks. Can be seen in the current drone wars that seem to mostly help terrorist organizations make it easier to recruit followers. "Surgical" removal of a target looks different and collateral damage does win harts and minds, just unfortunately it does so for the other side.

It wasn't "technology" that betrayed him, it was the sort if unthinking stupidity that leads to the downfall of all sorts of criminals. In another era, he would have been boasting about his exploits at a bar or to impress a date.

Thing with bitcoin is, it's perfectly traceable from wallet to wallet, but the wallet locations are the big unknown. You don't know who owns the wallet until you have access to the physical machine it resides on. So, you can easily *confirm* the transaction between two individuals happened once you know what their wallet IDs are, but if you don't know who the wallet belongs to, you're unable to determine the person from the Bitcoin operations alone.